The agents don't run the commands
398 views
Skip to first unread message
martin falcon
Feb 19, 2018, 4:54:31 PM2/19/18
to Wazuh mailing list
Hello, My agents are pulling the configuration correctly. However, they don't run or don't return the results to master. The agent.conf in the agent looks like this:
cat /var/ossec/etc/shared/agent.conf
<agent_config>
<!-- Shared agent configuration here -->
<localfile>
<log_format>full_command</log_format>
<command>yum list installed</command>
<alias>package installed</alias>
<frequency>20</frequency>
</localfile>
<localfile>
<log_format>full_command</log_format>
<command>sudo grep -o '^[^:]*' /etc/passwd | xargs -L1 id</command>
<alias>Users PCI</alias>
<frequency>360</frequency>
</localfile>
</agent_config>But when I try to see the results, I got 0 results (Please find my attachment).
Could you help me to understand what I missing here?
Thanks!
Victor Fernandez
Feb 19, 2018, 5:01:28 PM2/19/18
to martin falcon, Wazuh mailing list
Hi Martin,
Agents don't allow commands defined remotely by default, this is a security precaution.
Have you enabled remote commands? This option makes agents accept such commands.
You should add this line to /var/ossec/etc/local_internal_options.conf:
logcollector.remote_commands=1
And then restart the agent:
$ sudo /var/ossec/bin/ossec-control restart
You can find further information in the documentation: https://documentation.wazuh.com/current/user-manual/reference/internal-options.html
Hope it help.
Best regards,
Victor M Fernandez-Castro
IT Engineer — Wazuh, Inc.
IT Engineer — Wazuh, Inc.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/b83e078e-4770-416b-8dd1-cb0e284013ed%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
martin falcon
Feb 19, 2018, 5:25:08 PM2/19/18
to Wazuh mailing list
Thanks a lot Victor! that works!
I just confused because of this https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/wazuh/763NyAdwyqw
Chema said "The centralized configuration is enabled in agents by default as always. "
I just confused because of this https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!topic/wazuh/763NyAdwyqw
Chema said "The centralized configuration is enabled in agents by default as always. "
Reply all
Reply to author
Forward
0 new messages